Mac Malware: Myth or Reality?

February 2010

There are far fewer viruses, worms and Trojan horses affecting Macs, but here are some things to be aware of, says Laurent Marteau, CEO of Intego.

It has to be said that there are far fewer viruses, worms and Trojan horses affecting Macs than Windows PCs, but the risk is real, and it's getting worse. In fact, the complacency of Mac users, who have almost been led to believe that their platform is germ-free, may lead to more serious outbreaks should virulent malware target the Mac. Most Mac users simply don't know how to react in the event of a malware attack.

If we look at the past year, 2009, we can see that malware writers are increasingly targeting the Mac. In January, shortly after Apple announced a new version of their iWork suite of productivity software, malware writers took advantage of it. Mac users who downloaded the software (a whopping 450MB) via BitTorrent were also treated to the iServices Trojan horse, hidden inside the iWork installer.

The iServices Trojan opened a backdoor on infected Macs, and it connected to remote servers to download new code. It was actively used as part of a botnet that was involved in distributed denial of service attacks and more.

Shortly thereafter, seeing the success of the first version of the iServices Trojan, the same cyber-criminals planted the next version of their malware with copies of Adobe Photoshop CS4 for Mac found on BitTorrent trackers. The actual Photoshop installer was clean, but the Trojan horse was found in a crack application used to serialise the software. Functioning in a similar manner as the first version, the iServices.B Trojan horse allowed remote users to perform actions on infected Macs.

The RSPlug Trojan horse, which Intego first discovered in October 2007, exists now in more than a dozen variants. There were six new variants in 2009, some masquerading as video codecs, and some which claimed to be games, MP3 files and others. Several other types of malware targetting the Mac were spotted during the year.

Phishing attacks targeting Mac users were on the rise as well, with well-crafted phishing e-mails, purportedly from Apple, sent to entice subscribers of the company's MobileMe online service to surrender their credit card numbers. Other phishing emails specifically target users of other Apple products, such as the iPhone, and the forthcoming iPad.

Malware is not the only security threat to Macs. Operating system and third-party software vulnerabilities can be chinks in computers' armour, allowing remote exploits to take advantage of unpatched weaknesses. Apple issued 34 security updates in 2009, to patch Mac OS X, its software and its hardware, and popular third-party software (such as programs from Microsoft and Adobe) saw a number of updates during the year.

One of the new ways that attackers can target Macs is by taking advantage of these vulnerabilities and attacking computers from web pages and over a network. A number of exploits are available that can gain access to Macs easily, if a user simply visits a web page. (One noted Mac security researcher won a Mac hacking contest by exploiting a bug in Apple's Safari web browser; all he needed to do was point the computer to a booby-trapped web page and he took control of it.)

For this reason, it is no longer sufficient to protect Macs from malware with a simple anti-virus program. The only way to ensure that Macs are safe from the many dangers of the internet is to use combined protection, where anti-virus software works in concert with a two-way firewall, and software that protects from web threats, phishing, spyware, Trojan horses and more.

Apple's market share is on the rise, and malware writers are sensitive to the fact that Mac users are generally in a higher income range, and have less experience dealing with security issues. While Trojan horses can fool gullible users, most Windows users are aware of this risk, but Mac users are unfamiliar with it. And with targeted attacks from poisoned web pages, cyber-criminals can take advantage of vulnerabilities in web browsers and Mac OS X itself to take control of Macs when users simply visit web pages.

Comments (9)

Interesting article. However I fail to see the source value for some of these reference points :

"Apple's market share is on the rise, and malware writers are sensitive to the fact that Mac users are generally in a higher income range, and have less experience dealing with security issues."

I disagree with with this statement. How can you say Mac users have less experience dealing with security issues? By the same token you could say they have greater security awareness as there are less exploits on mac users. Are you considering devices such as iPhone users which don't necessarily relate to higher income.

I agree that Mac users are targeted, but have been since Apple began. With a rise in popularity you will obviously have a rise in exploit attempts. However I would also say that the security of OSX is very high compared with competitive OS's.

I'm a little confused to the references as well. The examples used in this article contain only trojans which were distributed through illegal channels such as bit torrents ? Could it therefore be said the target was torrent users as much as mac users?

Phishing attacks are not OS specific. A mac/windows/*nix user has to be equally vigilant. These are not OS dependent attacks. The example you have used 'MobileMe' is not Mac specific (http://www.apple.com/mobileme/features/pc.html)

"For this reason, it is no longer sufficient to protect Macs from malware with a simple anti-virus program. The only way to ensure that Macs are safe from the many dangers of the internet is to use combined protection, where anti-virus software works in concert with a two-way firewall, and software that protects from web threats, phishing, spyware, Trojan horses and more."

I think this statement is ill founded. The bottom line is security awareness is not OS specific and having a more secure OS or anti-virus software doesn't make you immune. However security conscious users should consider using the most secure tools including available to them whether that is includes OS's, Browsers and such software. Mac is by far one of the most secure OS's on the market today and users of this OS maybe more security aware which has led to their choice of such an OS.

"While Trojan horses can fool gullible users, most Windows users are aware of this risk, but Mac users are unfamiliar with it."

This statement shows a complete misunderstanding of security and users. I'm surprised the BCS has allowed this to be published.

Report Comment

Reason for reportFurther comments

2

I enjoyed it wrote on 11th Feb 2010

I enjoyed both comments.
I am a Mac user by choice and use Sophos as my security provider for both Mac, Linux and Windows.
My view is that security is a state of mind and can see what you are both saying.
I wonder if Sophis or any other big providers publish statistics on the number oc reports cases.
I will call them today to ask.

Report Comment

Reason for reportFurther comments

3

Clive Walters wrote on 11th Feb 2010

Together, the article and Craig's comment offer a balanced perspective. Intego want to increase their market, so you could say they wish to talk up threats.
The comment by Craig focusses more on the nature of threats, placing Macdom into its rightful position as a minority contributor for reasons stated. Between them, we have an advisory on each.
To totally trust a "Maginot line" solution as offered by suppliers is precarious, as history proved.
Usually, the answer is to recognise threats exist everywhere, their source varies and workarounds to protection will always be threatened. Continued user education and vigilance are essential to encourage us to be less trusting of the internet's offerings without becoming paranoid!

Report Comment

Reason for reportFurther comments

4

Mark Slater wrote on 11th Feb 2010

More security industry scare mongering! The underlying message here is if you're going to download illegal software then you might catch something nasty. Not really a revelation is it?
I agree with Craig - why has the BCS published this article?

Report Comment

Guys, security vendors are IT professionals too. Even those of us who work in the AV industry. I know you'll just write this comment off as vendor scaremongering too, but I'm going to make it anyway.

1) I don't think that the low volume of Mac attacks directly correlates with the security awareness of Mac users. My experience - as someone who was in Mac support for many years - is that while Mac users don't stumble on security threats as often, they're at least as capable of gullibility.
(2) BitTorrent is the vector here, rather than the attack target. If it's an OS X binary, you can't say it's not a Mac threat.
(3) A few years ago, OS X was way ahead of most flavours of Windows in terms of security. That time has gone, and Apple (and some Mac users) are clinging to a romantic image. You can argue about whose approach is better in some details, but there is no yawning gap. And Microsoft is much more aware of its surroundings in malware terms than Apple, which is still in denial.

This article is technically sound, however . (Trust me: I work for one of the author's competitors...) It would be a pity if the BCS stopped publishing stuff like this because it invites strong opinions.

Report Comment

Reason for reportFurther comments

8

James wrote on 20th Jul 2010

Oh Apple fanboys. Apple will be targeted and exploited more as market share increases. But none will be exploited to the extent that we saw last decade. All have learned from that.
And it's unfortunate for most who were, because MS gave them the ability to use accounts without admin rights starting in Win2k. People just didn't want to.

Report Comment

Reason for reportFurther comments

9

Nigel Morgans wrote on 21st Dec 2010

An article about security is always an argument about safety. There will always be advocates about one platform or another, whether it is Android, Mac O/S, Linux or Windows. The downside is that any software will have flaws and these will always need to be patched. The software is only as good as it is written or the platform that it is runs on, whether PC, laptop, iPad, Smartphone or a logic control device, they are all vulnerable.
Security software will always be required to guard against the unknown.